This has always bugged me, maybe it's bugged you...
Currently, the standard acct struct in acct.h doesn't include pid and ppid.
Considering that the structure was originally intended for process
accounting and chargebacks (and the like), this was understandable.
Adding these two fields seems like a lightweight way to get some
additional logging useful for security analysis without alot of work.
It looks like the only side-effect to adding these two fields is that
existing progs that use the struct to read acct files would need to be
recompiled.
Any comments?
Ideally, the ac_comm field should be replaced with something that includes
the command-line args, but I'll leave discussion for another day. ;-)
-- thx, kjj